Description
Run zizmor, a static analysis tool for GitHub Actions, on this repository's workflows to identify and fix security issues. Add zizmor as a CI check.
This follows the same work done in tektoncd/pipeline#9667.
What needs to be done
-
Run zizmor --fix=all . to auto-fix findings:
- Add
persist-credentials: false to all actions/checkout steps (artipacked)
- Fix template injection by replacing
${{ }} in run: blocks with shell env vars (template-injection)
-
Add zizmor CI workflow (.github/workflows/zizmor.yaml) that runs on pushes to main and PRs, uploading SARIF results to GitHub Advanced Security
-
Fix remaining non-auto-fixable findings manually:
-
File follow-up issues for any remaining findings that require broader changes (e.g., secrets-outside-env, secrets-inherit)
Reference
/kind cleanup
Description
Run zizmor, a static analysis tool for GitHub Actions, on this repository's workflows to identify and fix security issues. Add zizmor as a CI check.
This follows the same work done in tektoncd/pipeline#9667.
What needs to be done
Run
zizmor --fix=all .to auto-fix findings:persist-credentials: falseto allactions/checkoutsteps (artipacked)${{ }}inrun:blocks with shell env vars (template-injection)Add zizmor CI workflow (
.github/workflows/zizmor.yaml) that runs on pushes to main and PRs, uploading SARIF results to GitHub Advanced SecurityFix remaining non-auto-fixable findings manually:
github-scriptsteps usingprocess.envpattern (template-injection)ghCLI where possible (superfluous-actions)File follow-up issues for any remaining findings that require broader changes (e.g.,
secrets-outside-env,secrets-inherit)Reference
/kind cleanup